Data protection laws are set to change in a few weeks as we prepare for the introduction of the new General Data Protection Regulation (GDPR). But what do the new rules mean, and why do they matter for GPs?

The GDPR replaces the current Data Protection Act, and will set a stronger framework for how we collect, store and share data across the health and care system in future. The new rules also come at a time when public awareness of data issues has never been greater.

It is my strong belief that GDPR will help to build patient confidence in how their information will be accessed and used, and ensure that we can continue to yield the benefits of having a more connected and integrated approach to data management.

At the core of GDPR is the need to appoint a data protection officer or data protection lead within every organisation – a named person responsible for overseeing the handling of sensitive personal data either within a practice or across multiple practices.

We can only travel as fast and as far as the public’s confidence allows us

All organisations will also be required to demonstrate that they are complying with the new regulations and must report any security breaches within 72 hours in a bid to boost transparency and accountability. We need to have the same fast and forensic approach to addressing any compromised data as we do to failures in patient care – both are fundamentally breaches of patient trust and safety.

The new laws also put more power into the hands of the patient. They will mean that for the first time patient data can be requested and obtained within a month – rather than the current 40 days. Patients will also have the power to request their information is moved or deleted. They will, in other words, have greater agency and control over how their data is managed than ever before.

There are, clearly, important logistical challenges for GP practices in preparing for the new regulations, which is why we have been working with NHS Digital and the Information Commissioner’s Office to prepare a range of tailored advice to support practices prepare and get to grips with the new rules as quickly as possible.

But let’s not lose sight of why this matters. In the 70 years since the NHS was created, clinicians and scientists have consistently approached data with the guiding principle that it can make a huge difference to patient care. And there is consensus now that this matters now more than ever, not least as we seek to deliver fast, effective transfer of records helping to join up care for patient with complex and multiple conditions.

Yet we can only travel as fast and as far as the public’s confidence allows us, and in a volatile climate, where people are asking serious questions about the ethics of Big Data, the introduction of this new regulation – alongside the work already being done in the wake of Fiona Caldicott’s Review – gives us definitive answers within healthcare.

By implementing the regulation, we can win permission to ensure more patients can benefit from an improved experience and better outcomes as a result of fully integrated and shared personal medical records.

Lord O'Shaughnessy is parliamentary under secretary of state for health (Lords)

What are the new data regulations?

The General Data Protection Regulation (GDPR) is a new set of EU rules that comes into force in the UK on May 25, 2018.

The new rules mean GP practices and other health organisations, as processors of personal data, will have to meet strengthened standards for data protection.

Many of the main requirements of GDPR are similar to those in the current Data Protection Act - however there are a number of new elements that will impact on how practices handle data. The key elements are:

The requirement to appoint a Data Protection Officer

Practices will be obliged to demonstrate they comply with the new law

Significantly increased penalties possible for any breach of the regulations - not just data breaches

A legal requirement for security breach notification within 72 hours

The removal of charges, in most cases, for providing copies of records to patients or staff who request them and a new timescale to provide this within one calendar month (instead of 40 days)

Readers' comments (3)

"Patients will also have the power to request their information is moved or deleted"

The right to data portability (I think that is what you are referring to) does not apply to GP records - it only applies "where the processing is based on the individual’s consent or for the performance of a contract". For GP records, we do not rely upon consent, and we do nto have a contract with the patient.

The right to erasure does not apply if processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority - Article 6(1)(e); which is the legal basis that we are relying upon for our GP records. Patients have the right to rectification, but not to their records being "deleted".